本文介绍对RTL进行加密的几种方法。
概述
对RTL进行加密的方法,主要有以下几种:
对RTL源码进行加密
该方法是将源码用key进行加密,然后由工具进行解密,用户无法看到解密后的文件。
优点是,解密后和源代码几乎一样,可以仿真,可以综合。
缺点是,完全无法阅读,仿真时也无法看到hierarchy,可能需要为不同的工具单独加密,比如vcs/dc/vivado。
将RTL综合成网表
该方法时将RTL综合成网表,对用户提供网表文件。
优点是,使用简单
缺点是,不便于仿真
将RTL加扰
该方法只是将RTL中的信号名和模块名改成无意义的名字,这样类似于网表方案,用户无法分析其含义。
优点是,不需要解密,直接提供的是RTL源码,所有仿真综合都可以无缝使用
缺点是,加密程度低
对RTL源码加密
预处理
一般项目文件都比较多,而且需要定义不同的宏,为了方便后面加密以及使用,可以先将所有文件进行预处理,把宏去掉,并处理成一个文件。
这里采用了vppreproc工具进行预处理。
该工具是verilog-perl的一个子工具,这个工具包内还由vhier, vpassert, vrename等工具。
vhier可以列出hierarchy,vrename可以将信号改名。
https://github.com/veripool/verilog-perl/blob/master/README.pod
这里只介绍vppreproc。
Description
vppreproc - Preprocess Verilog code using verilog-perl
Vppreproc reads the Verilog files passed on the command line and outputs preprocessed output to standard out or the filename passed with -o.
Synopsis
1 | vppreproc [verilog_options] [-o filename] [verilog_files.v...] |
Verilog Arguments
The following arguments are compatible with GCC , VCS and most Verilog programs.
+define+var+value =item -Dvar=value
Defines the given preprocessor symbol.
-f file
Read the specified file, and act as if all text inside it was specified as command line parameters.
-f file
Read the specified file, and act as if all text inside it was specified as command line parameters. Any relative paths are relative to the current directory.
+incdir+dir =item -Idir
Add the directory to the list of directories that should be searched for include directories or libraries.
+libext+ext+ext…
Specify the extensions that should be used for finding modules. If for example module x is referenced, look in x.ext.
-y dir
Add the directory to the list of directories that should be searched for include directories or libraries.
Vppreproc Arguments
–help
–o file
Use the given filename for output instead of stdout.
–dump-defines
Suppress normal output, and instead print a list of all defines existing at the end of processing the input file.
–noblank
Removes empty lines from the output. Should be used with –noline, as if correct line numbers are needed, blank lines must be preserved for proper accounting by the program reading the output of vppreproc.
–nocomment
Remove comments.
–noline
Remove ‘line directives.
–pedantic
Rigorously obey the Verilog spec. This disables the ‘error feature, and may disable other features that are not specified in the approved language reference manual. Defaults false.
–simple
Requests simple output, an alias for –noline, –nocomment and –noblank.
–sythesis
Define SYNTHESIS , and ignore text bewteen “ambit”, “pragma”, “synopsys” or “synthesis” translate_off and translate_on meta comments. Note using metacomments is discouraged as they have led to silicon bugs (versus ifdef SYNTHESIS ); see http://www.veripool.org/papers/TenIPEdits_SNUGBos07_paper.pdf.
–version
Displays program version and exits.
Example
下面是个较常用的例子。
下面命令将一个filelist的所有文件,去宏,并得到preproc.v。
1 | $ vppreproc -F filelist.F --simple +define+MYDEF="1'b0" +define+MYDEF2 +define+MYDEF3=1 +incdir+../xx/ --o preproc.v |
下面命令将所有的宏定义输出,这样方便回溯。
1 | $ vppreproc -F filelist.F --dump-defines --simple +define+MYDEF="1'b0" +define+MYDEF2 +define+MYDEF3=1 +incdir+../xx/ --o preproc.v > defines |
VCS加密
VCS命令本身支持加密。
syntax
+putprotect+target_dir
Specifies the target directory for protected files
-autoprotect128
For Verilog and VHDL files, VCS encrypts the module port list (or UDP terminal list) along with the body of the module (or UDP).
-auto2protect128
For Verilog and VHDL files, VCS encrypts only the body of the module or UDP. It does not encrypt port lists or UDP terminal lists. This option produces a syntactically correct Verilog module or UDP header statement.
-auto3protect128
This option is similar to the -auto2protect128 option except that VCS does not encrypt parameters preceding the ports declaration in a Verilog module.
+autoprotect[file_suffix]
Creates a protected source file; all modules are encrypted.
+auto2protect[file_suffix]
Creates a protected source file that does not encrypt the port connection list in the module header; all modules are encrypted.
+auto3protect[file_suffix]
Creates a protected source file that does not encrypt the port connection list in the module header or any parameter declarations that precede the first port declaration; all modules
are encrypted.+deleteprotected
Allows overwriting of existing files when doing source protection.
Example
1 | $ vcs -full64 +v2k +putprotect+builds/ +auto3protect demo.v +deleteprotected |
Xrun加密
cadence的仿真工具也支持加密,是用xmprotec命令。
Example
1 | xmprotect -language vlog -autoprotect demo.v |
DC加密
Syntax
1 | synenc [options] file1 [file2..fileN] |
- -r path. SYNOPSYS root path
- -o filename. wirite the encrypted output to filename; will be ignored if used for multiple input files
- -ansi. put the encrypted out files in the same directory as the input files; will be ignored if used with the ‘-o’ option for single input file
- -zip. compress output
- -enable_macro_report. macro definition can be reported by HDL compiler
Example
1 | $ /synopsys/syn/P-2019.03-SP4/linux64/syn/bin/synenc -r /synopsys/syn/P-2019.03-SP4 -ansi demo.v |
Vivado 加密
Vivado对IP代码加密方法,参考UG118文档(https://www.xilinx.com/support/documentation/sw_manuals/xilinx2017_2/ug1118-vivado-creating-packaging-custom-ip.pdf)。
先要申请license,EncryptedWriter_v2,方法参考,https://www.xilinx.com/support/answers/68071.html
syntax
1 | encrypt [-key <arg>] -lang <arg> [-quiet] [-verbose] [-ext <arg>] <files>... |
- -ext option to prevent encrypt from overwriting, or make copies of your source file prior to running the encrypt command.
- -key option specifies an RSA key file that includes the IEEE-1735-2014 V2 supported pragmas that provide the encryption key, define access rights, and other optional information. The key file must use the same language and extension as the source files being encrypted (VHDL, Verilog, SystemVerilog).
- -lang option Specify the target language as Verilog.
Example
下面是个例子。
1 | $ cat enc.tcl |
Synplify加密
synplify支持多种加密方式。它可以直接读取synenc工具加密的文件(synplify版本需要2018)。也可以直接读取encryptP1735.pl加密的文件。下面介绍这个加密的语法。
syntax
1 | perl /synopsys/fpga/fpga201703/lib/encryptP1735 -list mylist -log 1.log |
- -list。指定filelist。